Presenting a live 90-minute webinar with interactive Q&A Workplace Data Breach Challenges: Navigating Notification Requirements, Employee Monitoring and BYOD Programs Structuring Policies to Prevent and Respond to Leaks of Sensitive, Regulated or Proprietary Data WEDNESDAY, JULY 30, 2014 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: V. John Ella, Shareholder, Jackson Lewis , Minneapolis Brent E. Kidwell, Partner, Jenner & Block , Chicago Joseph J. Lazzarotti, Shareholder, Jackson Lewis , Morristown, N.J. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .
FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-258-2056 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of • attendees at your location Click the SEND button beside the box • If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: • Click on the ^ symbol next to “Conference Materials” in the middle of the left - hand column on your screen. • Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. • Print the slides by clicking on the printer icon.
WORKPLACE DATA BREACH CHALLENGES : NAVIGATING NOTIFICATION REQUIREMENTS, EMPLOYEE MONITORING, AND BYOD PROGRAMS
Disclaimer This presentation provides general information regarding its subject and explicitly may not be construed as providing any individualized advice concerning particular circumstances. Persons needing advice concerning particular circumstances must consult counsel concerning those circumstances. 6
Workplace Data Breach Challenges • Employee Monitoring, BYOD programs, and Navigating Notification Requirements. ― Employee Monitoring V. John Ella ― BYOD Programs Brent E. Kidwell ― Navigating Notification Requirements Joseph J. Lazzarotti 7
Protecting Data • Trade Secrets • Personally identifiable information (PII) • Personal health information (PHI) • Financial information • Business plans Customer and client data • Employee data • 8
Steps to Control of Access to Employee and Customer/Client Data • Confidentiality/non-disclosure agreements • Passwords, encryption, firewalls • Policies and procedures • Limited access • Policies and procedures Training • Monitoring • 9
ALLOWABLE EMPLOYEE MONITORING 10
11
Employee Monitoring • Reasons to monitor • Avoid harassment claims • Protect trade secrets • Detect and dissuade improper behavior • Ensure productivity Not a reason to monitor • Prurient curiosity • 12
Employee Monitoring • Requirements to Monitor • FTC guidance regarding endorsements • FINRA requirements • Child pornography reporting requirements • Electronic discovery 13
Employee Monitoring • Types of Monitoring • Email Internet use • Keystroke/keylogging • Cached files • Saved passwords on computers • Video • Audio • • GPS • RFID Social media • Physical searches • 14
THINGS TO CONSIDER “A growing number of companies are under pressure to protect sensitive data — and not just from hackers lurking outside the digital walls. They're also looking to protect it from insiders — employees who may want to swipe information such as customer bank account numbers or electronic medical records.” Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani, NPR, all tech considered, July 23, 2014 15
New Monitoring Software “The content could be personal notes about one's family. Or it could be company secrets. If the employee copies it to a USB stick, the software sets off a red alert, grabs that same file and displays its contents in real- time.” Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani, NPR, all tech considered, July 23, 2014 16
New Monitoring Software “Managers can't predict when an alleged violation might happen. SureView lets them rewind to the minutes or hour before the red alert, and watch like a slow-motion film. Crouse says the software records four frames per second and it's very compressed video, but it's very readable by an investigator.” Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani, NPR, all tech considered, July 23, 2014 17
New Monitoring Software “Companies currently use software to block an employee from copying or emailing an unauthorized document. But according to a study by the research group Gartner, only 5 percent of that software traces every move, looking for bad actors. By 2018, the study projects, it'll be 80 percent.” Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani, NPR, all tech considered, July 23, 2014 18
Bad Consequences? “Shannon heads an institute at Carnegie Mellon that specializes in insider threat technologies. He says failures in these technologies can create a really toxic workplace. Say I'm poking around a bunch of files, doing research above and beyond the call of duty. In the old days, no one would know, or I'd be called proactive.” Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani, NPR, all tech considered, July 23, 2014 19
Restrictions on Monitoring • Electronic Communications Privacy Act (ECPA) • Stored Communications Act (SCA) • Common law intrusion upon seclusion • State wire tap acts • Notice requirements in CT , DE Restrictions on disclosure of social media passwords • in 13+ states 20
Overview of Privacy Law Not explicitly in U.S. Constitution • (except searches by the government) Almost all states have a common law • tort for “invasion of privacy” California and Montana have a state • constitutional right to privacy 21
Overview of Privacy Law Federal statutes are often industry- • specific (financial, medical, etc.) State legislatures are very busy passing • new privacy statutes International law differs • Technology is challenging all of these • established legal structures 22
Common Law Privacy The Restatement, Second, of Torts, Section 652A sets forth four types of common law invasion of privacy: Unreasonable intrusion upon the • seclusion of another; • Appropriation of the others’ name or likeness; Publication of private facts; and • Publicity that unreasonably places the • other in a false light before the public. 23
Electronic Monitoring • Monitoring work email = usually o.k. • Using work computer to obtain employee’s password to personal, cloud-based email account = usually not o.k. 24
Employee Monitoring Cases • Rene v. G.F . Fishers, Inc., 817 F .Supp.2d 1090 (S.D. Ind. 2011) Stengart v. Loving Care Agency, Inc., 990 A.2d 650 • (N.J. 2010) Pure Power Boot Camp, Inc. v. Warrior Fitness Boot • Camp, LLC , 759 F .Supp.2d 417 (S.D.N.Y) 25
Monitoring – Preventive Steps • Develop a specific, written policy: • Establish information systems are the property of the employer Reserve the right to monitor • Prohibit inappropriate use • Include penalties for policy violations • 26
Monitoring – Preventive Steps • Train/educate employees and others • Keep the monitoring work-related • Permit reasonable personal use • Consider additional steps – desktop statement, posting in common area, written consent/acknowledgement 27
Employee Monitoring Issues Courts will be more inclined to rule in favor of the employer if: • Employer owns the “system” (computer, e-mail, etc.) • Employee voluntarily uses an employer’s network • Employee has consented to be monitored (usually based in written personnel policy) 28
Recommend
More recommend